The present privacy notice (the “Privacy Notice”) details the conditions upon which the Bank, as controller, processes personal data about Data Subjects (as defined below) and shall be read in conjunction with the Bank’s general conditions (“General Conditions”).
Capitalized terms not otherwise defined herein shall have the meaning set forth in the General Conditions.
For the purpose of this article 1.2.1 only, the term Client also includes the potential clients of the Bank (prospects).
The Bank processes the Personal Data of its Clients in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and any amendments or replacements thereof (the “GDPR”) as well as any complementing or other law or regulation relating to the protection of Personal Data applicable to the Bank.
The provisions of this article 1.2.1 apply to the processing by the Bank in a capacity as Controller of Personal Data about (i) all the Clients of the Bank who are natural persons, or (ii) where the Client is a legal person, the attorney-in- fact, the beneficial owner, the manager, the representative, the employee and any other proxy of such Clients, and (iii) any other individual about whom the Bank processes Personal Data (hereinafter referred to as the “Data Subjects“).
In compliance with the principle of transparency, this Privacy Notice intends to inform Data Subjects about inter alia the processing operations carried out by the Bank as Controller as well as about their rights regarding the processing of Personal Data relating to them.
The Bank, as Controller, collects only the personal information which is necessary to fulfill its missions and only as part of its Clients’ service provision and/or for compliance with its legal or regulatory obligations. Personal Data is collected from Data Subjects (for example, when entering into a business relationship) and from third parties (for example, depending on the services provided, public authorities, lawyers and/or notaries), including from publicly available sources and subscription databases.
The refusal to disclose Personal Data to the Bank and the prohibition to deal with them, remaining at the discretion of the Client, may in certain circumstances be an obstacle to the conclusion of a contract or continuation of a relationship with the Bank or to prevent the Client from the use of certain products or services offered by the Bank. The Bank will inform Data Subjects of such impediment upon the occurrence of such a refusal.
In the context of its activities and the services it provides to its Clients, the Bank generally processes the following non-exhaustive personal information about Data Subjects:
- personal details (e.g.: date of birth, gender, marital status) and life and consumption habits (goods and services consumption, special dietary requirements);
- education and occupation (e.g. academic curriculum, employer, position, title, place of work);
- identification data generated by public services (e.g. passport number, identity card, national register, publication of annual financial statements);
- electronic identification data (e.g. email address);
- bank and financial identification data (e.g. bank account numbers and balance, credit card numbers);
- financial transactions records;
- data relating to the Client or Data Subject’s financial situation (e.g. income, assets and properties, credits, bank account balance, investment preferences);
- identification of tax residence and tax identification number;
- image and sound (e.g. telephone recordings, pictures on copies of identity documents, video recordings through the CCTV systems installed in the premises of the Bank);
- any information resulting from checks related to anti-money laundering and counter terrorism financing regulations (“AML/CTF”) and know your customer (“KYC”).
The above categories of data may include special categories of Personal Data, such as information about political opinions, affiliation to unions, religious beliefs and information about criminal convictions and offences.
The Bank processes Personal Data about Data Subjects according to the services provided to its Clients as well as for the compliance with its legal obligations generally.
Particularly, the Bank processes Personal Data related to a Data Subject where a processing is necessary:
- to take the previous steps necessary for the conclusion of the contract and its execution and for the purpose of providing its services to its Clients and performing its obligations according to the contractual terms managing its business relationship with the Client (including account administration, managing payment instructions and deposits, loans and mortgages and related securities, assessment of Client’s solvency and creditworthiness, investment and similar financial transactions) as well as for the need of updating the Client and Data Subject’s information;
- for compliance with the legal or regulatory obligations to which the Bank is subject, including in particular for the purposes of:
- complying with the reporting requirements to the competent authorities, whether in terms of taxation or otherwise (such as the OECD Common Reporting Standard for exchange of information (“CRS”), FATCA, the Automatic Exchange of Information (“AEI”) and any exchange of information regime to which the Bank is subject from time to time) or legal/regulatory reporting to the supervisory authority, in which case the provision of information to the Bank is always mandatory – failure to respond may lead to incorrect or double reporting; in this context, Personal Data about Data Subjects will be shared with the Luxembourg tax authorities (and any service provider with which the Bank operates) who may in turn share the information to foreign tax authorities;
- taking measures against money laundering and terrorism financing, including:
- obligations to KYC (Customer Due Diligence (“CDD”) & KYC checks);
- obligations of cooperation with Luxembourg and international authorities;
- record keeping of services and transactions.
- for satisfying the Bank’s or a third party’s legitimate interest, in particular for purposes related to:
- the Banks’s commercial development strategy to offer additional services adapted to the needs of its Clients (including direct marketing in the form of unsolicited commercial communications) and/or to meet their specific needs, where appropriate;
- securing the premises, communication channels and IT systems used by the Bank;
- accounting, demonstrating a transaction, managing risks or prevent a fraud.
- on the basis of the relevant Data Subject’s consent (e.g. for any further processing of Personal Data).
Anyone who as a Client or on behalf of a Client communicates to the Bank or any of its representatives Personal Data about any Data Subjects must first provide the latter with the information about how the Bank processes Personal Data as described in this Privacy Notice. The Bank will hence consider that the Data Subjects concerned are informed of the processing of the Personal Data relating to them that the Bank may carry out and of the transfer of their Personal Data to certain recipients as described herein, and that, as far as necessary, the Client obtained the Data Subjects’ prior written consent.
In certain special cases, the Bank may request the consent of Data Subjects in relation to a specific Personal Data processing operation. The Bank informs Data Subjects that they may withdraw their consent at any time in accordance with, and subject to the limitations of, the applicable laws.
The phone extensions of the Bank used for “commercial or financial transactions” are recorded. In this regard, the Client is informed that the Bank may (and in certain circumstances is, as further described in the General Conditions, in the interest of the Client, obliged by law to), record telephone conversations or electronic communications. Such recordings aim at keeping track of transactions for evidencing purposes, complying with law and regulations, allowing assistance and investigations by the Bank or the competent authorities (including in the case where there exists a dispute between the Client and the Bank in relation to a transaction).
Nevertheless, if the Client (or any Data Subject acting on behalf of the Client) has a telephone conversation with an employee of the Bank and the subject of this conversation has nothing to do with a “commercial or financial transaction”, then the Client has the option of requesting the said employee to transfer the call to an unrecorded line. In this case, the Client is informed that no order or transaction will be dealt with or even considered by the Bank. Finally, the Client may not at any time claim to have transmitted an order or carried out a transaction by phone if he had specifically requested the use of an unrecorded line.
The Client is informed that in the event of any dispute between the parties hereto, the recordings may be used as evidence, particularly if, when the account was first opened, the Client requested that a phone call should be considered to be a valid means of communication with regard to the account.
188.8.131.52 Retention principle
Except stated otherwise in the General Conditions, the Bank will keep Personal Data as long as, but not more than, necessary or required for satisfying the purposes pursued by the Bank as detailed above, the maximum period being either (i) the end of the relationship between the Client and the Bank plus the statutory limitation periods applicable for the exercise or defense of a legal claim (périodes de prescriptions légales, such as the commercial period of limitation of 10 years as from the end of the contractual relationship with a Client) or (ii) the end of the legal requirement to keep Personal Data for a certain period of time, even after the termination of the relationship between the Client and the Bank, whichever is later.
184.108.40.206 Archiving/record keeping
- To ensure compliance with its legal obligations as governed by the 2004 Law, the Bank is required to:
- retain information and documents related to CDD for a period of five (5) years after the end of business relationship or after the date of an occasional transaction;
- retain supporting evidence and records of transaction for a period of five (5) years after the end of a business relationship with the Client or after the date of an occasional transaction.
The regulatory authorities may order retention of such information or documents for a further period of five (5) years where the necessity and proportionality of such further retention has been established for the prevention, detection, investigation or prosecution of suspected money laundering or terrorist financing.
- To ensure compliance with its legal bookkeeping obligations, the Bank keeps its books, accounting documents, correspondence and archives, which may contain Personal Data, in original form or in copies on any medium it deems appropriate, for a period of ten (10) years starting from the end of the financial year to which they relate.
- The Bank will keep recordings of telephone conversations and electronic communications as long as, but not more than, necessary for the abovementioned purposes (i.e. keeping track of transactions for evidencing purposes, complying with law and regulations, allowing assistance and investigations by the Bank or the competent authorities), the maximum period being either (i) the end of the relationship between the Client and the Bank plus the statutory limitation periods applicable for the exercise or defense of a legal claim (périodes de prescriptions légales) or (ii) the end of the legal requirement to keep Personal Data for a certain period of time, even after the termination of the relationship between the Client and the Bank, whichever is later. Telephone recordings and electronic communications relating to certain transactions must by law be kept by the Bank for a period of five (5) years, or up to seven (7) years if required by the CSSF.
The Bank uses the physical and technical means to protect the Personal Data of Data Subjects against any attempt of malicious and fraudulent use. The technical solutions used to store and process Personal Data are subject to enhanced surveillance in accordance with the Bank’s security policy and risk based approach, which remains its priority.
As examples, the technical and organizational safeguards include encryption, anti-virus, firewalls, access controls, strict selection of personnel and providers to prevent and detect access, loss or inappropriate disclosures of Data Subject’s Personal Data.
In the event of a security breach that could potentially compromise the protection of the Personal Data of Data Subjects under the control of the Bank, the Bank will act promptly to identify the cause of such breach and will take remedial measures. Depending on the nature and extent of the problem identified, the Bank will inform Data Subjects in accordance with the applicable legal provisions.
The Data Subject’s Personal Data may be transferred by the Bank to the following categories of recipients, to the extent that the Bank deems such disclosure or transmission to be required or necessary for satisfying the aforementioned purposes:
- other companies of the group to which the Bank belongs, other financial institutions, including banks, insurance companies and issuers of credit and debit cards, brokers, organizations involved in money transfers such as SWIFT (Society for Worldwide Interbank Financial Telecommunication);
- any legal entity which may acquire the Bank or certain of its assets in case of a merger and acquisition or restructuring;
- the Bank’s lawyers, notaries, external auditors or bailiffs;
- public, governmental, or judicial entities, in Luxembourg or abroad;
- Addressees (as defined in article 1.3.6 of the General Conditions), whose intervention is required for the purposes as detailed in said article 1.3.6 of the General Conditions and respectively located in Luxembourg or Andorra.
The Bank may also transfer the Personal Data, by virtue of a legal or regulatory obligation to which the Bank is subject, or by virtue of a constraint emanating from a public or judicial authority within the applicable legal limits. In accordance with the legal and regulatory requirements specific to the automatic exchange of information with the countries that have adhered to it, the Bank may disclose certain Personal Data relating to the Client’s tax residence status to the Luxembourg tax authorities.
The Luxembourg tax authorities may communicate the data transmitted by the Bank to each competent foreign tax authority in accordance with applicable legal and regulatory requirements. In some jurisdictions, the legal and regulatory requirements applicable to transactions involving financial instruments and similar rights require that the identity of the (in)direct holders or beneficial owners of such instruments and their positions in such instruments be disclosed.
Failure to comply with these obligations may lead to the freezing of financial instruments with all the possible consequences that result from them, such as the impossibility of exercising voting rights, the non-collection of dividends, the impossibility of selling the instruments concerned or any other sanction or restrictive measure, particularly in application of the applicable legal and regulatory provisions to which the Client is also required to comply.
To this purpose, the Client is informed that the Bank may be legally required to disclose to the competent authorities the identity of the Client and / or the beneficial owner as well as their positions in said financial instruments.
The Client is informed that the Principality of Andorra is a country which is currently recognized by the European Commission as offering an adequate level of data protection based on an adequacy decision (protection considered as equivalent as within the European Union). Therefore, appropriate safeguards as provided for under Chapter V of the GDPR shall not be implemented by the Bank with recipients (in particular service providers acting as Processors) located in the Principality of Andorra.
Any transfer of Personal Data by the Bank to a recipient (either acting as Processor or Controller when processing the Personal Data) located outside the European Economic Area (the “EEA”) will be made in accordance with the safeguards provided for under Chapter V of the GDPR.
Subject to the conditions of the GDPR, any Data Subject may request from the Bank any of the following:
1.11.1 Right of access
Each Data Subject has the right to obtain from the Bank confirmation as to whether or not Personal Data concerning the Data Subject are being processed, and, where that is the case, access to the Personal Data and relevant information in that regard.
220.127.116.11 Right to rectification
The Data Subject has the right to obtain from the Bank without undue delay the rectification of inaccurate Personal Data concerning him/her and taking into account the purposes of the processing, the right to have incomplete Personal Data completed
18.104.22.168 Right to restrict the processing of Personal Data
This right allows the Data Subject to ‘block’ or suppress a specific processing of his Personal Data.
22.214.171.124 Right to erasure
This right enables the Data Subject to request the Bank to delete or remove his Personal Data where there is no compelling reason for the continued processing thereof.
126.96.36.199 Right to object
The Data Subject has a right to object, on grounds relating to the Data Subject’s particular situation, at any time to the processing of Personal Data concerning him which is based on satisfying the legitimate interests pursued by the Bank. Should this right be exercised, the Bank shall no longer process the Personal Data, unless the Bank demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.
188.8.131.52 Right to portability
Data subjects will also have a right to the portability of their Personal Data, namely the right to receive Personal Data about them or to request the communication to another Controller in a structured format, commonly used and machine readable.
184.108.40.206 Consent withdrawal
Data Subject may at any time withdraw the consent they have given in the cases where the Bank will have had to previously require such consent for the processing of Personal Data relating to themselves. The legality of consent- based processing operations carried out prior to such withdrawal will not be affected.
The Data Protection Officer (DPO) is the contact person for all questions regarding the processing and protection of Personal Data.
Data Subjects may submit to the Bank a request for the exercise of the aforementioned rights by sending a written request, signed and justifying his identity to the Bank, sent by e-mail to:
or by letter to the following address:
Banque de Patrimoines Privés,
Data Protection Officer
30, Boulevard Royal, L-2449 Luxembourg
The Bank, through the designated Data Protection Officer, undertakes to process the Client’s request as soon as possible.
The Client is also informed that he is entitled to lodge a complaint with the competent data protection authority, in particular in the Member State of his habitual residence.
In Luxembourg, such authority is:
Commission Nationale de Protection des Données (CNPD), 1, Rock’n’Roll Avenue – L-4361 Esch / Alzette.
- “Personal Data”
Any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
The natural or legal person, public authority, service or other body that processes personal data on behalf of the Controller.
A natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
- “Third party”
A natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data.
More specific information in relation to the processing of Personal Data and any updates or changes in relation to this Privacy Notice may be provided to the Client by the Bank by any notification letter (including by email) or any other appropriate mean.
The Client shall communicate such updated Privacy Notice to any Data Subject concerned by the processing operations in accordance with this Privacy Notice.